b'                  Payroll Conversion\n\n                       EXECUTIVE SUMMARY\n\nWe found that the Office of Administrative and Personnel Management (OAPM)\neffectively coordinated the Commission\xe2\x80\x99s conversion to the Department of the Interior\xe2\x80\x99s\npayroll system. Users generally felt that OAPM payroll staff were doing a good job,\ngiven resource constraints, and were responsive to their needs.\n\nCommission employees, particularly supervisors and managers, have had some\ndifficulties in learning to use the new system. In some cases, access controls have been\ncompromised, as discussed below. We are making several recommendations to\nenhance access controls and customer service, including issuing guidance, providing\ntraining, and establishing a help desk and web page.\n\nOAPM provided written comments (attached) on a draft of this report. Generally, OAPM\nconcurred with our recommendations.\n\n                              BACKGROUND\n\nThe Commission\xe2\x80\x99s prior payroll system, known as the Pay, Time, and Leave (PTL)\nsystem, was not year 2000 compliant, and imposed a substantial administrative burden\non the Office of Information Technology. Consequently, the Commission converted to\nthe Department of Interior\xe2\x80\x99s (DOI) Federal Personnel/Payroll System (FPPS) on June\n20, 1999. Responsibility for payroll was transferred from the Office of the Comptroller\n(OC) to the Office of Administrative and Personnel Management.\nCommission computers connect to the DOI system in Washington, D.C. FPPS\nheadquarters are in Denver, Colorado. Firewalls protect both systems from\nunauthorized access, and the system maintains a log of any unauthorized access\nattempts.\nThe FFPS is used by several other agencies, including the Department of Education, the\nFederal Labor Relations Authority, the Federal Trade Commission, the Pension Benefit\nGuaranty Corporation, and the Social Security Administration. DOI currently charges\n$160 a year for each W-2 form processed (i.e., payroll/personnel services for one\nemployee), which costs the Commission about $522,000 annually.\nFPPS is a mainframe-based, real-time personnel and payroll system. It incorporates all\ncurrent Office of Personnel Management regulations. All personnel and time and\nattendance (T&A) transactions are processed and maintained in electronic form. Unlike\nthe PTL system, which required managers to sign a paper document, requests for\npersonnel actions and time and attendance entries are signed electronically.\n\x0c                                                                                                                                                      Page 2\n\n\nFPPS controls transaction processing functionally. Each user has access only to a\nspecific range of data (e.g., organization codes, action types, etc.), and specific\ncommands needed to complete a transaction. System access is protected by\npasswords, and by users\xe2\x80\x99 access profiles.\nFor time and attendance, timekeepers enter hours worked and leave taken for each\nemployee into the system. Then, they forward the data to the certifying official\n(generally, a manager or supervisor) for that official\xe2\x80\x99s review and certification. The data\nare then released to DOI for processing.\nFor personnel action requests, administrative contacts or clerical staff initiate an\nelectronic form (analogous to paper form SF-52). Authorizing officials (managers or\nsupervisors) review the requests, electronically sign them, and forward them to the\nComptroller\xe2\x80\x99s Office for its review and concurrence. The Comptroller\xe2\x80\x99s Office then\ntransmits the request to OAPM for final processing.\n\n                                 OBJECTIVES AND SCOPE\n\nOur objective was to determine whether the conversion to DOI\xe2\x80\x99s system was effective,\nand whether Commission payroll controls were properly implemented (we did not assess\ncontrols administered by DOI). During the audit, we interviewed DOI and Commission\nstaff, surveyed users by questionnaire, reviewed relevant documentation, and tested\nselected controls, including access controls. We conducted the audit between\nDecember 1999 and July 2000 in accordance with generally accepted government\nauditing procedures.\n\n                                                  AUDIT RESULTS\n\nWe found that overall, the conversion to the DOI system was effective, and commend\nOAPM for its efforts. OAPM and OC coordinated a working group consisting of\nthemselves and the Office of Information Technology (OIT). This group met with DOI\nand dealt with issues associated with the transition, which took over six months. To stay\ncurrent on system developments, OAPM now participates in an FPPS users group with\nother agencies.\nOAPM took several actions to acclimate users to the FPPS, although these actions have\nnot yet been fully effective, as explained below. It provided training to users (although\nsome users did not attend, especially managers) and a timekeeper\xe2\x80\x99s manual, which\nusers say is helpful. It created a mailbox for users, and sent out numerous e-mails\nconcerning the system. To reduce the administrative burden on timekeepers, it\nauthorized not entering credit hours into the system (since credit hours do not affect\nleave balances, and a hard copy record of them is maintained). Most users who\nparticipated in our survey indicated that the payroll staff are responsive to their needs.\nWe found that access controls were not being properly implemented in some cases,\nbecause of some managers\xe2\x80\x99 reluctance to use the system, or unfamiliarity with it. The\naccess controls help ensure the integrity of system data by limiting approval of\ntransactions to authorized users (management). As explained below, we are\nrecommending certain steps to enhance security and improve customer service.\n\n       ______________________________________________________________________________________________________________________________________________________________\n____\n\nPayroll Conversion (Audit 314)                                                                                               September 22, 2000\n\x0c                                                                                                                                                      Page 3\n\n\n\n\nAUTHORIZING PERSONNEL ACTIONS\nThe DOI system allows personnel actions to be initiated and signed on-line, including\nhiring and terminating employees, job or grade changes, and placement in a pay or non-\npay status. The DOI system limits access to the system and separates duties to help\nprevent inadvertent errors or deliberate falsification of documents.\nAn initiator (generally, a clerical or administrative employee) enters the data concerning\nthe action into FPPS. An approving official (the office head or other management official\ndesignated by the office head) reviews and signs the action. The electronic signature\nreplaces the manual signature on the prior paper form, the SF-52. The fact that the\nsignature is electronic should not make a substantive difference; i.e., if only managers\nare authorized to sign a paper SF-52, then only managers should be authorized to sign\nan electronic equivalent.\nOur testing identified six offices or divisions which had not properly implemented the\nabove controls. These offices or divisions allowed a program support specialist (or\nassistant, in one case) between grade levels 8 and 13 to sign personnel actions, rather\nthan managers. In addition, five of the six allowed the same program support specialist\nto both initiate and sign personnel actions. Of the 504 personnel actions the\nCommission processed under FPPS, 25% (127) were entered and approved by one\nprogram support specialist.\nTo ensure that FPPS processes only properly authorized personnel actions, OAPM\nneeds to provide guidance to offices and divisions, and follow-up to ensure that the\nguidance has been implemented.\n\n       Recommendation A\n       OAPM should issue guidance to office heads and divisions on the proper\n       authorization of personnel actions as discussed above. It should confirm that all\n       offices and divisions have properly authorized access to the DOI personnel\n       system.\n\n\nSEPARATING FPPS USERS\nWe reviewed a listing of authorized FPPS users. Fifty persons on the listing (out of a\ntotal of 825 users) were former employees who should not have access to the system.\n\n       Recommendation B\n       OAPM should develop procedures to ensure that separating employees are\n       promptly deleted from FPPS access (e.g., by periodically comparing a listing of\n       separating employees to an FPPS user listing).\n\n\n\n\n       ______________________________________________________________________________________________________________________________________________________________\n____\n\nPayroll Conversion (Audit 314)                                                                                               September 22, 2000\n\x0c                                                                                                                                                      Page 4\n\n\n\nSHARING OF PASSWORDS\nTwo administrative contacts told us that they use their supervisor\xe2\x80\x99s password to perform\nfunctions not assigned to them, such as certifying T&A entries (including their own) and\napproving personnel actions. The supervisors, who were senior managers, apparently\nwished to avoid administrative inconvenience. However, by sharing passwords, the\nsupervisors have circumvented FPPS controls.\nOAPM stated that it has taken corrective action in these two cases. However, the\nadministrative staff involved stated that they believe sharing of FPPS passwords is a\ncommon practice.\n\n       Recommendation C\n       OIT in consultation with OAPM should remind all FPPS users that sharing\n       passwords is not allowed, and a serious violation of good security practices.\n       OAPM should describe to senior management how FPPS\xe2\x80\x99s administrative\n       burden can be minimized while maintaining its controls (e.g., an office head can\n       delegate approval and certifying functions to another manager in that office,\n       rather than the office head or administrative staff exercising these functions).\n\n\nTRAINING OF USERS\nOnly 194 Commission employees out of 894 users attended training in FPPS, according\nto OAPM\xe2\x80\x99s records. Only three office heads attended the training. The lack of training\nmay account for some of the difficulties users are having with the system.\nDOI also offers computer-based training. This training leads the new user through FPPS\nfunctions. Some training in the FPPS system (whether classroom or computer-based)\nshould be required before users receive their access codes.\n\n       Recommendation D\n       OAPM should ensure that all users have appropriate classroom or computer-\n       based training. It should consider providing office heads with a brief overview of\n       FPPS and their responsibilities. OAPM should coordinate with the Office of\n       Information Technology on security awareness training.\n\n\nVIEWING LEAVE BALANCES\nEach pay period, OAPM sends a memorandum to timekeepers on T&A errors. Many\nerrors relate to insufficient leave balances, which could have been prevented if\ntimekeepers knew the balances.\nTimekeepers generally told us that they did not know how to obtain leave balances from\nFPPS. Some indicated that they still keep manual records, which wastes time. Under\nthe FPPS tracking and utilities functions, timekeepers are authorized to view and print a\nreport of leave balances.\n\n\n\n\n       ______________________________________________________________________________________________________________________________________________________________\n____\n\nPayroll Conversion (Audit 314)                                                                                               September 22, 2000\n\x0c                                                                                                                                                      Page 5\n\n\n       Recommendation E\n       OAPM should tell timekeepers how to view leave balances and to print a leave\n       balance report.\n\n\nIMPROVING CUSTOMER SERVICE\nTo help evaluate the effectiveness of the payroll office, we asked users to rate it on a\nscale of one to five (1= Unsatisfactory, 2= Fair, 3= Good, 4= Very Good, and 5=\nExcellent). Of the 56 users who rated the office, 38 (68%) rated the office as good or\nbetter, with an average rating of 3.3\nWe also asked users to suggest improvements to the office. They suggested that the\npayroll office have staff available to answer the phone (rather than rely on voice mail);\nshorten the response time for questions; and check the FPPS mailbox more often.\nOAPM stated that the office had been short-staffed and unable to respond to users as\nquickly as desired. This problem has now been corrected. OAPM plans to set up a help\ndesk for users and establish a performance goal of responding to users within 72 hours.\n\n       Recommendation F\n       OAPM should implement its plans to improve customer service.\n\n\nWEB PAGE\nThe DOI web page provides user manuals, personnel codes, and general information\nabout FPPS. Most respondents to our questionnaire said that they were unaware of the\nsite. This information could help users avoid some processing problems.\nOAPM has issued several e-mails and other guidance on the FPPS. This material could\nbe made readily available to users through a payroll site on the Intranet, linked to the\nDOI site.\n\n       Recommendation G\n       OAPM should set up an FPPS web site on the Intranet that links to DOI \xe2\x80\x98s web\n       site.\n\n\n\n\n       ______________________________________________________________________________________________________________________________________________________________\n____\n\nPayroll Conversion (Audit 314)                                                                                               September 22, 2000\n\x0c'